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Method and Apparatus for Transferring Data 
FROM AN ATM Connection Table to Memory for Use 
BY An Application Program 

5 

Related Application(s) 

The present application claims priority from a provisional patent application filed 
08/16/01 under serial number 60/313,039, which is incorporated herein by reference. 

•:5 10 

,1 Field of the Invention 

IP The present invention relates to network analysis systems, and more particularly to 

Q 

Irl monitoring a network for analysis purposes. 

L 15 

0 Background of the Invention 

With the advent of the hitemet, there has been a sharp increase in the demand for 
network bandwidth which has been principally driven by two trends: (i) the increasing 

20 number of networked computers exchanging data; and (ii) the increasing need for 

networked computers to exchange ever-increasing quantities of data. Li response to this 
demand, a variety of new computer network technologies have been developed that 
improve upon existing technologies by increasing the efficiency of data transmission, 
increasing the speed of data transmission, or both. Although such technologies achieve 

25 increased network bandwidth, they also create a need for new and improved 
technologies to analyze networks incorporating these technologies. 
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Network assessment tools referred to as "analyzers" are often relied upon to 
analyze networks during use. One example of such analyzers is the SNIFFER 
ANALYZER™ device manufactured by NETWORK ASSOCIATES, INC™. All 
analyzers have similar objectives such as determining why network performance is 
5 slow, understanding the specifics about excessive traffic, and/or gaining visibihty into 
various parts of the network. 

Analyzers are often used to monitor networks which are based on an 
asynchronous transfer mode (ATM) switching protocol. ATM switching is used in 

10 communications systems for switching voice, data, and video information. Frequently, 
these services are supported simultaneously by the same switch. In use, ATM switches 
are capable of switching small elements of information, called cells, rapidly between an 
input port and an output port. A header at the beginning of each cell contains identifying 
information that may also be modified in the course of this switching. During operation, 

1 5 the switches typically track the switching using connection tables, stored in a 
specialized memory in the switch. 

In the prior art, each connection supported by the switch occupies at least one 
entry in one or more of the connection tables. Typical analyzer tools extract these entries 
20 for gathering statistics and monitoring various network parameters. To date, such 

entries have been extracted one-at-a-time. In other words, typically analyzers issue one 
call command to extract one entry fi:om the connection table. This one-to-one relation 
thus results in a vast number of calls being made to extract the necessary data. 

25 Since typical scanning is carried out in real-time, it is often difficult to extract all 

of the required information in a manner efficient enough to keep up with the operation 
of the switch. Often, the analyzer must take incomplete "snap shots" of the contents of 
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the connection tables. This, in turn, results in incomplete statistics and substandard 
scanning results. 

There is thus a need for an apparatus and method for more efficiently and 
effectively collecting information from ATM connection tables for analysis purposes. 
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DlSCLOSURE OF THE INVENTION 

A system, method and computer program product are provided for copying data 
from an asynchronous transfer mode (ATM) connection table. In use, an ATM 

5 connection table on an ATM network is monitored. During such monitoring, it is 
determined whether entries of the ATM connection table are active. If the entries are 
active, associated data is periodically transferred from the active entries of the ATM 
connection table to memory. Identifiers associated with the data are utihzed for 
identification purposes. The transferred data in the memory may then be subsequently 

10 utihzed with an apphcation program. 

In one embodiment, the data may be transferred from the active entries of a 
plurality of ATM connection tables. Such plurality of ATM connection tables may 
include one ATM connection table for each of a plurality of ATM links. As an option, 
1 5 the plurality of ATM connection tables may include at least one common ATM 
connection table. 

In another embodiment, the entries of the ATM connection table may be deemed 
active if the entries have been just created since a previous transfer of data. Further, the 
20 entries of the ATM connection table may be deemed active if the entries have been 
altered since a previous transfer of data. As an option, the data from the active entries 
of the ATM connection table may include statistical information and/or state 
information. 

25 In still another embodiment, a period with which the data is periodically 

transferred from the active entries of the ATM connection table to the memory may be 
configurable. Moreover, the period may be configurable within a predetermined range. 
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Optionally, the predetermined range may be between 1 transfer/second to 4 
transfers/second. 

As an option, the periodic transfer of the data may be initiated utilizing an 
5 application program interface between the apphcation program and the memory. The 
periodic transfer of the data may also be ceased utilizing the application program 
interface between the application program and the memory. Such apphcation program 
interface may be capable of identifying a location in the memory to which the data is to 
be transferred. Further, the application program interface may identify a period at which 
1 0 the data is to be transferred to the memory. Still yet, the data from each entry of the 
ATM connection table may be transferred independently. 

In still yet another embodiment, the memory may be interrupted in order for the 
apphcation program to use the transferred data. Optionally, multiple instances of the 
1 5 data may be stored in the memory. Moreover, the memory may store the data in a 
circular manner. 

It should be noted that the aforementioned identifiers may include ATM 
connection identifiers. During use, such identifiers may be translated per the desires of 
20 the user. In use, an age of the data may be tracked so that the data may be deleted upon 
the age reaching a predetermined amount. 
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Brief Description of the Drawings 

Figure 1 is a schematic diagram of a network architecture, in accordance with 
5 one embodiment. 

Figure 2 illustrates the transfer of the entries between the connection table and 
analyzer memory, in accordance with one embodiment. 

10 Figure 3 shows a method for copying data from the connection table such as the 

ATM connection table shown in Figures 1 and 2. 

Figure 4 illustrates a method that is executed in parallel with the method of 
Figure 3 for clearing the entries that have been transferred to the memory. 

15 
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Descriptiqn of the Preferred Embodiments 

5 Figure 1 illustrates an exemplary architecture 100, in accordance with one 

embodiment. As shown, at least one input device 102 is provided along with at least 
one output device 104. In the context of the present description, the input device 102 
and the output device 104 maybe any networked device that is capable of receiving and 
sending communications, respectively. For example, the input and output devices may 

10 include a desktop computer, lap-top computer, hand-held computer, printer or any other 
type of logic. 

Each input device 102 and output device 104 of the present architecture 100 is 
coupled by way of a network 106. hi the context of the present architecture 100, the 
1 5 network 106 may take any form including, but not limited to a local area network 
(LAN), a wide area network (WAN) such as the hitemet, etc. 

As shown in Figure 1, coupled to the network 106 is an analyzer 108. Such 
analyzer may be coupled to a gateway, switch, input device 102, output device 104, or 
20 any other networked device or logic. Jn an embodiment where the analyzer 108 is 
coupled to an Internet switch, the switch may be an Asynchronous Transfer Mode 
(ATM) switch, a Frame Relay switch or any other switch that acts on units of user data 
usually called data cells. 

25 As is well known, each cell has an identifying section such as a header, used for 

routing or identifying purposes. The data cells can represent actual data as from a 
computer, voice, video, or any other type of information. The present embodiment is 
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described in terms of an ATM switch. However, the same technology can be appHed to 
other types of switches as well. 

As shown, the analyzer 108 includes at least one input port 110 and an output 
5 port 112 coupled to the input device 102 and the output device 104, respectively. An 
ATM core 114 is coupled between the input port 110 and the output port 112, In use, 
each input port 110 interfaces and connects to one or more of the input devices 102 for 
passing fully formed ATM cells to the ATM core 114. The output port 112 accepts 
fully formed cells and emits them to one or more of the output devices 104. It should be 
1 0 noted that the ATM core 114 may emit cells to a plurality of output ports represented by 
output port 112, and may send a plurality of copies of the cell to a single output port 
112, each with a different header. 

The ATM core 114 includes a certain number of connection slots to be 
15 configured for connecting the input ports represented by input port 110 and the output 
ports represented by the output port 112, or to be idle. Also included is a connection 
table 116 coupled to the ATM core 114 for tracking each connection supported by the 
ATM core 114 in a plurality of entries. 

20 It should be noted that the analyzer 108 may be separate from or integral with 

the aforementioned components. In one embodiment, the analyzer 108 maybe a 
standalone device which monitors the traffic/segment between two ATM switches 
[Network to Network Interface (NNI)] or between an ATM end-station and a switch 
[User to Network Interface (UNI)]. 

25 

A computer 118 may be coupled to the analyzer 108 or constitute a component 
of the analyzer 108 for extracting such entries from the connection table 116 for 
gathering statistics and monitoring various network parameters. Such statistics and 
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network parameters may then be used to troubleshoot, monitor network performance, 
and/or enhance security provisions, i.e. detect attacks, vulnerabihties, mahcious code, 
etc. 

5 Unhke prior art analyzers, the present embodiment extracts the entries from the 

connection table 116 by copying multiple entries into memory. This allows a more 
comprehensive collection of statistics with respect to the prior art method of extracting 
entries one-at-a-time. 

10 Figure 2 illustrates the transfer of the entries between the connection table 116 

and analyzer memory 202, in accordance with one embodiment. It should be noted that 
the analyzer memory 202 may be a component of the computer 118 of Figure 1, 
dedicated memory, or any other desired memory located in any desired location. In use, 
the data stored in the ATM connection table may include statistical information, state 

1 5 information, protocol information, or any other data capable of being used to enhance 
the operation and security of the architecture 100. In one embodiment, the analyzer 
memory 202 may include at least 4Kbytes. 

As shown in Figure 2, the connection table 116 includes a plurality of active 
20 entries 204 and a plurality of idle entries 206. In one embodiment, the entries of the 
connection table 116 may be deemed active if the entries have been just created since a 
previous transfer of data. Further, the entries of the connection table 116 may be 
deemed active if the entries have been ahered since a previous transfer of data. Still yet, 
a portion of the cormection table 116 may be left unused. 

25 

It should be noted that a plurahty of such connection tables 116 may be 
provided. In such embodiment, one ATM connection table may be provided for each of 
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a plurality of ATM links. Further, the plurality of ATM connection tables may include 
at least one common ATM connection table. 

Figure 3 illustrates a method 300 for copying data from a connection table such 
5 as the ATM connection table shown in Figures 1 and 2. In operation 302, the ATM 
connection table is monitored. Upon a triggering event, the entries in the ATM 
connection table are copied over into memory, hi one embodiment, the triggering event 
may be a periodic interrupt signal generated by the analyzer. It should be noted, 
however, that the triggering event may be produced by any desired logic that determines 
1 0 when it is appropriate for the entries in the ATM connection table to be copied over into 
memory. 

In one embodiment, a period with which the interrupt signal is generated may be 
configurable. Moreover, the period may be configurable within a predetermined range. 
1 5 Optionally, the predetermined range may be between 1 transfer/second to 4 
transfers/second. This range may ensure optimal transfer of data to enable a 
comprehensive statistical analysis by the analyzer. 

Once it is determined in decision 304 that the interrupt is received, the various 
20 entries of the ATM connection table are identified. Note operation 306. The purpose of 
such identification process may be to identify which entries of the ATM connection 
table are suitable for transfer to the memory. In particular, it is determined in decision 
310 whether the identified entries are active. As mentioned earher, the entries of the 
connection table may be deemed active if the entries have been just created since a 
25 previous transfer of data, the entries have been altered since a previous transfer of data, 
or the entries are in any other way ready to be transferred. 
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If the entries are deemed active in decision 310, data is transferred from such 
entries of the ATM connection table to memory. See operation 312. Next, in decision 
314, it is determined whether any additional entries exist. If so, a next entry of the ATM 
connection table is identified in operation 315, and operation 312 is repeated for any 
5 additional active entries. Optionally, multiple instances of the data of each entry may be 
stored in the memory, if the resources of the memory are sufficient. While an 
independent transfer of entries is set forth hereinabove, it should be understood that 
contiguous entries may be transferred at once if supported by the accompanying 
hardware. 

10 

Moreover, the memory may store the data in a circular manner. In other words, 
the data may be transferred from the ATM connection table to the entries in the memory 
in sequential order from a first entry to a last entry in the memory. Once the last entry in 
the memory is filled, the process maybe repeated at the first entry. 

15 

As mentioned eariier, the data may be transferred from the active entries of a 
pluraUty of ATM connection tables, where each ATM connection table corresponds to 
one of a plurality of ATM links. Further, the plurahty of ATM connection tables may 
include at least one common ATM connection table from which entries are extracted. 

20 

Once it is has been determined in decision 314 that no fiirther additional entries 
exist, an application program associated with the analyzer may be prompted to use the 
entries transferred to the memory. See operation 316. So that the application program 
may use the entries transferred to the memory, identifiers associated with the data may 
25 be utiUzed for identification purposes. It should be noted that such identifiers may 
include ATM connection identifiers. As an option, such identifiers may be translated 
into a "CAM ID" which is traditionally used by the ATM core. 
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As an option, the periodic transfer of the data may be initiated utihzing an 
appUcation program interface between the application program and the memory. The 
periodic transfer of the data may also be ceased utilizing the appUcation program 
interface. Such application program interface may be further capable of identifying a 
5 location in the memory to which the entry data is to be transferred. Further, the 

appUcation program interface may identify a period at which the data is to be transferred 
to the memory. 

By periodically initiating the transfer of all active entries to memory, a more 
1 0 complete set of data is collected for use by the analyzer when monitoring an associated 
architecture. Further, by storing the entries in the memory, the appUcation program is 
given adequate time to adequately analyze the entry data. As an option, the memory 
transfer method 300 maybe interrupted in order to further ensure that the appUcation 
program has adequate time to use the transferred data. 

15 

Figure 4 illustrates a method 400 that is executed in parallel with the method 
300 of Figure 3 for clearing the entries that have been transferred to the memory. It 
should be noted that the method 400 may be continuously executed while the method 
300 of Figure 3 is being used to extract entries from the connection table. 

20 

As shown, one of the entries is identified in operation 402 after which it is 
determined in decision 404 whether the age thereof has exceeded a predetermined 
amount. Such predetermined age may be selected based on when the usefulness of an 
entry is conventionally depleted. If such age has been exceeded, the entry may be 
25 cleared in operation 406, 

After the entry is cleared or it is determined in decision 404 that the age of the 
present entry has not exceeded the predetermined amount, a next entry is identified. 
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Note operation 408. By this design, the entries may be sequentially checked to 
determine whether the age has exceeded the threshold, and deleted accordingly in order 
to make room for additional incoming transferred data. 

5 While various embodiments have been described above, it should be understood 

that they have been presented by way of example only, and not limitation. Thus, the 
breadth and scope of a preferred embodiment should not be limited by any of the above- 
described exemplary embodiments, but should be defined only in accordance with the 
following claims and their equivalents. 

10 
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